
Securing Skill Based Games 


A survey of common hacks and 
techniques for remediation 


Attacking the Server 


ARXAN 


Protecting th«\ App Economy' 


• dDOS 

- No real value for the attacker (unless perhaps, they’re your competition :-) 

- Usually just ’’kids having fun” 

• Penetration and subversion of the server itself 

- Difficult, but real value for the attacker, so it attracts the grownup bad guys 

- Certainly not impossible, as evidenced by the JP Morgan Chase intrusion over 
the summer, where the attackers had obtained root credentials on at least 90 of 
JPMC’s internal servers. 

• Network packet manipulation 

- Alter the servers state by forging network traffic 

- Usually accomplished from the client side, but technically an attack on the 
servers state 
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Attacking the Client (server indirectlykiiioiftw^^ 
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Game Data Snooping and/or Input Grooming 


- Aimbots/Triggerbots 


- Radars / ESP 


Game Asset Modification 


- Texture Hacks 

• Game Logic Modification 

- Collision Detection Disable 


- Network Traffic Forgery 
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Protecting th«\ App Economy' 


Aimbots / Triggerbots 
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Aimbots / Triggerbots 
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Protecting th«\ App Economy' 


• Aimbot definition 


- Internal or external machine that tracks objects within a game view 
and automatically alms and/or triggers the players weapon 






Aimbots / Triggerbots 


• Background 

- Three basic classes of Aimbots 

• Color / Object Tracking Aimbots (COT) 

• Client Hook Aimbots (CH) 

• Graphics Driver Aimbots (GD) 

- General Characteristics of Aimbot classes 

• COT Aimbots 

- Minimally invasive 

- Computationally intensive 

• CH Aimbots 

- Maximally invasive 

- Computationally lightweight 

• GD Aimbots 

- Balance between invasiveness and computational load 


Color / Object Tracking Aimbots 


arxan 

Protecting th«\ App Economy' 

• Theory of operation 

- Screen scrape for color / objects 

- Calculate vector 

- Inject input via input drivers 

• Detectability / Preventability 

- Practically impossible to detect 

- Effect can be mitigated with intelligent asset design 

- Some hack augmentation such as asset color manipulation that 
improves effectiveness can be effectively prevented 


Client Hook Aimbots 



• Theory of operation 


- Hook particular functions within game client 

- Scan game memory for objects 

- Calculate vector 

- Directly invoke firing functions or inject input via drivers or by 
modification of game client resident buffers 

• Detectability / Preventability 

- Generally easy to detect 

- Generally easy to prevent 


Graphics Driver Aimbots 



• Theory of operation 

- Hook particular functions within the graphics driver DLL (mapped by 
the game client) 

• Often the hooked graphics function provides direct access to the 
memory representing object coordinates 

- Calculate vector 

- Directly invoke firing functions or inject input via drivers or by 
modification of game client resident buffers 

• Detectability / Preventability 

- Generally easy to detect 

- Moderately straightforward to prevent 


Radars 



Radars / ESP 
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• Radar definition 

- Internal or external machine that tracks objects within world and 
provides overview of target coordinates (usually a “top down” fixed 
camera view) 



Radars / ESP 



• Theory of Operation 

- Scans the local game memory identifying targets 

• Requires knowledge of the game data structure 

• Typically Hackers reverse engineer and publish offsets of data members 

• Theoretically automated processing could be performed to reverse 
engineer coordinate data by motion vector analysis of random data 
triples and recording addresses that produce “sensible” vectors 

• Detectability / Preventability 

- If done properly, practically impossible to detect 

- Preventable by runtime obfuscation of data 


Texture Hacks 
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Texture Hacks 



• Texture hack definition 

- Modification of texture data, usualiy to obtain transparency or 
camouflage 
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Te xture Hacks 

• Background 

- Two common classes of texture hacks 

• Wall hacks 

- Make walls transparent 

- Alter texture to visually expose enemies 

• Chamming 

- Alter enemy texture to visually highlight them 
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Protecting th«\ App Economy' 
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Te xture Hacks 

• Theory of operation 

- Alter texture data on disk 

- Alter texture data in memory 

• Detectability / Preventability 

- If done properly, difficult to detect, If done poorly, easy to detect 

- Prevented through use of white-box cryptography and anti-tamper 
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Collision Detection Disable 
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Collision Detection Disable 

niiaioooiioifliooo 

• Collision detection disable definition 

- Modification of functions used to perform coilision detection 
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Collision Detection Disable 

niiaioooiioifliooo 

• Theory of operation 

- Alter functions that check for character / object collision 

- Typically all that is required is to disable the code (patch a return) 

• Detectability / Preventability 

- Easily detected 

- Easily prevented with code hardening 


100011010001-^01111010101^11010 
)1-^0111101010lil000110lfiln00 A 
||00011010001“«0111101010lfil1010 
dOlil 00011 Olfil 000 



Protecting th«\ App Economy' 


Network Packet Manipulation 
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Network Packet Manipulation 
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Protecting th«\ App Economy' 


• Network packet manipulation definition 


- Modification or temporai disordering of data packets destined for 
either the server or the ciient 
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Network Packet Manipulation 



• Background 

- Network packet manipulation can be used to accomplish many types of 
hacks 

• Artificial lag 

- Software based “lag-switch” (slow down rate at which all packets are tx’d/rx’d) 

• Look-ahead 

- Software induced latency (see what other user action is, then send your action 
with a prior timestamp) 

• Hack report sinking 

- Identify hack reports going to server and disable or “undo” them 


- General Characteristics of network packet manipulation 

• Although in theory packet manipulation is possible outside of process space 
most client/server games implement encryption which (if properly done) 
renders this impractical 


Network Packet Manipulation 
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Protecting th«\ App Economy' 


• Theory of operation 


- Hook the functions that encrypt/decrypt packets within the game 
client process 

- Because the hooked is in the code, pre/post encryption, encryption 
offers no protection 


• Detectability / Preventability 

- Easily detected 

- Easily prevented with code hardening 
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Questions? 
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How Can Arxan Help? 
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Arxan Technology 
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Protecting th«\ App Economy' 


• Anti-Reverse Engineering 

- Prevent the attacker from understanding the code 

• Obfuscation (at the machine code level) 

• Encryption of .text (forces attacker to memory dump) 

- Effective 

• Immediately raises the barrier 

• Software Anti-tamper 

- Software version of the epoxy encapsulation for hardware 

- Active guards that are injected into your games client binary at the 
machine code level 

• If attacker attempts to “pull the code apart” the code will “self-destruct” 

• Code can cloak itself and only reveal itself once it is committed to completing 
its function (e.g. hack report function) 


Arxan Technology 



• Software based whitebox cryptography 

- Secures key material 

• Key material remains encrypted at all times, even during cipher 
operation 

• Key lifting is extremely difficult 

- When combined with code hardening, the code cannot be lifted from 
game client binary 

• Code hardening becomes the “epoxy” over the crypto chip 

• Difficulty of lifting a key becomes similar in magnitude to lifting a key 
from a hardware TPM 

• If the white-box is eventually compromised (typically measured in years) 
breach mitigation is only a software update away 


Arxan Code Hardening 


Call Graph 
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• Network of ''guards' 

e "guards" to protect a single code 


Use multip 


Image Protected by: 
Checksum Guard - 


fL£l&hPi'og>'< rnmable 
p+var_24-j] , Layered Prctection 

p+ var_ 


^ "guards" protect seleded ranges of code 

+ — . „ r ' — ■ — ^ . 

^ - guards pr otect entire imago 

- "guards" protect each other 



s^^O 

Wlhen attalk is detected, "guards" ‘fire’ , reaction is 


- Many implementationjs no 

Guard Protected by: 
grobaLsignature' 


Identified 


Guards Protected by: 
Obfuscation Guard 


Unprotected Program 



IDA ' C:\Documcnt( and Scttings\mmchlbcrg\My DocumcntiWisual Studio Projects' 

( t ,-rtgP^ ^ \ pjiX 


Search OabuQoer Qpbons y/Unkm He^ 
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i) lOAViewA 

^ HexViowA ^ Export* linportt N N«nm Furwtiomf^ 

Slnrip* [ ^ SifuoluesI En Enum 



.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text; 

.text: 

.text; 

.text: 

.text: 

.text: 

.text: 

.text: 

.text; 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 

.text: 
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0QiiD7A0C 
00Jie7A0C 
00ii07F0C 
0(Mi07FDC 
0Qii07F0C 
0O487FEO 
0MB7FE6 
0Dil07FE0 
0IMIB7FE0 
BDJIO7FE0 
BBilB7FE0 
0BilB7FEB 
BBilB7FE0 
BB4B7FEQ 
Q0J|B7FEO 
BB4B7FE0 
0(MlB7FEe 
BB4lB7FEe 
BB4B7FE1 
00JIB7FE3 
BB4B7FE7 
0(MlB7FE9 
BBilB7FEE 
BBi|B7FF0 
00JIB7FF2 
BBilB7FF2 
0(MlB7FF2 
BB4B7FF3 
BB4B7FF6 
0BilB7FF9 
BBilB7FFC 
00488002 
00408 006 
00408 008 
004 08 008 
0B4O8OOF 
B04O8OOF 
004O8OOF 
00408011 
00408012 
00408012 
00408012 


dd IDh, 4FA0S9E6h, S4Ah. 0D4F1EC31h. 1D3h. 84048216h, 87Bh 
dd 0C6E3S3DFh, ICSh 

; int oFF_407FDC 

OFF 4B7FDC dd oFFset RegSetUalueExW ; DATA XREF: 

; sub 413BA4« 


SUb_413BA4^36ir 
♦DEir ... 


••SUBROUTINE 


: Attributes: bp-based Frame 


public start 
proc near 


arg_0 

arg_4 

arg_8 


- dMord ptr 8 

- diiord ptr OCh 

- dword ptr lOh 


lOC_40800F: 


push 

PN)U 

cnp 

jnz 

call 

test 


push 

push 

push 

push 

call 

cnp 

nou 

jnz 

call 


nou 

pop 


1 


ebp 

ebp, esp 
[ebp«arg_4] , 
short loc_407FF2 
sub_4B80SE 
eax, eax 

short loc_4B8012 


Name 
D tmioc 

D _CM(FimeH«xle( 

0 .tvcncinp 
0 

D S(gD»a'«Oodi« 

D StgOpwiStoragt 
D PropV«w<Qe« 

D IIOFroinStnng 
D Sy»Stitnd8)<e<.en 
D S/tStmcLen 

D S/tAlocSoingByteLen 
D Sy«Fie«Slnng 
D S/tAlocS4ing 
F atn 




esi 
[ebp*arg_8] 
[ebp^arg^h] 
[ebp*arg_0] 
oFF_446118 
[ebp*arg_4], 0 
esi, eax 
short loc_40800F 
sub 408016 


; CODE XREF: start*7tj 


eax, esi 
esi 


ebp 


; CODE XREF: start^28tj 
; CODE XREF: start*10Tj 


Strings 

window 




Addret* 

Lan^th 

T.. 

Stnng 

A 

‘ ' textOQ 

00000019 

C 

DMteTooMp32Snapshot 


• ■ lextOO 

OOOOOOOE 

C 

Modiie32F«t 


• ■ teXtOO 

OOOOOOOO 

c 

Modiie32Nexi 


* teXtOO 

0000001B 

c 

IntertockedCompaieC Hchange 


■ toxtOOi 

OOOOOOOO 

c 

kernei32di 


• • toxlOOl 

00000011 

c 

aSIDSVtsWVwnon 


• • l«l;0a 

00000009 

c 

OataPath 


• * »*X»:00 

00000017 

c 



• ' text 00 

00000026 

c 

IrrtialeeCincalSactnnAndSpaiCovii 


tei«00 

oooooooc 

c 

ExtPioce» 


' ' dateOO 

00000005 

c 

JJJJ 


* date.OO 

00000005 

c 

L^AAM 


- ' dataOO 

00000007 

c 

V\VF1\\h 


• - dataOO 

00000007 

c 

n6t0e@0 


- - 

< 

nnnnnnnc 

r 


> 




Conpiling file 'C:\erooram FI ies\lOA\ldc\lda. idc* . . . 
Executing function 'main*... 

Corpillng file 'C;\Prograni Fi1cs\ZOA\idc\on1oad.ldc'... 
Executing function 'OnLoad'... 

ZOA is analysing the input file... 

YOU may start to explore the Input file right now. 
Propagating type information. . . 

Function argument Information Is propagated 

m Is successfully loaded Into the database. 

A 


MJ: iJd DoiMn Me 116GB 000073E0 0D407FE0: st«t 


Notice: 

Easily 

disassembled 

instructions 

Strong cross 
references. 

Valid, readable 
string references 
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Arxan Protected Proaram 
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Protecting th«\ App Economy' 


IDA ' C:\Documcnts and Scttings\mmchlbcrg\My DocumcntsWisual Studio Projects^ 

- 

(r ^ iftPlx 

if* Edfc 

Search Debugger Qpbons y^yidows He4> 
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- + X B30D ps 
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jQ IDAViewA 

^ HexViewA ^ E)portt 1^ Import* N Name* Functions ' ' Slnngt ^ Stiuclues En Enumt 



.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text; 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text ; 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text; 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text; 
.text: 
.text: 
.text: 
.text: 
.text: 
.text: 
.text; 
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dd 0C6E3S3OFh. ICSh 

; Int off_4ie7FDC 

off A07FDC dd offset RegSetUalueExW ; DATA XREf : subJt13BAA*36ir 

; sub_ii13BAA*DEir ... 


0Qii07FBC 
00A67fDC 
0Qii07f0C 
00AB7f0C 

BBA67fEB ; 

OBJI07FEO 
0M07fE0 
eM07fEO start: 
00407fEO 
00A07fE0 ; 

O0A07FES dword_A07FE5 

O0i|07FE9 

O0A07fES 

00407fES 

00A07FE5 

OOi|07fES 

O0J|07fES 

00A07fES 

00i|07fES 

O0J|07fES 

O0A07fES 

0(Mi07fE5 

O0i|07fES 

O0407fES 

O0A07fE5 

00i|07fES 

00A07FES 

00A07EES 

OOi|07fES 

00407FE5 

O0407fES 

00^07FE5 

O0i|07fES 

O0A07fES 

00i|07fES 

O0i|07fES 

OOABBIFO 

00A 082 00 

O0AO82OA 

00A 082111 

00408218 

O04O821C 


public Start 
Jnp near ptr 

dd 2AS0h. 4613CE9h, 7llCO8S00h. 7SFFS620b. 0C7SFF1Oh. 0E9087SFfh 
dd 468Sfh, 0C7D832Bh, 7SfO8B00b, S7CSE90Sh, 0C68B0004h 
dd BCC2S0SEh, 4E7ilE900h. 12B0OB4h. S6S33E75h, 4S68BE9h 
dd 0E9S72B0Qh, 4S6E4b, 46719E9h, OE9f9EBB0h, 462AEh. 46062E9b 
dd 474E00h» S3B67ii0eh, 0C383D6ffh, 73E9471Ch, 4S2h» 4EE9E676h 
dd OFFOOOASIh, SBSESF06h. 0E91C6AC3h. 4S68Dh, 4«iFiiOE9h 
dd 47FF3300h. 0E9E47D89h. 4SS78h, 0E9DB332Bh, 4678Ch. 62BDE92Bh 
dd 0E9280004h, 43021h, e044S8DBBh, 30A8E95Bh, 8B2B0004h 
dd 3fE9044Sh. 2B00O462h. 4S3C4E9h, 6S99E9B0n. 9SE90004h 
dd 8900044Fh, SD89DCSDh, 56B3E9E0h, 458B0O04h, S98OE9E0h 
dd 772B0004h. 6041E970h, 189BO004h. 8AE9OB0Oti. 2B0004SBh 
dd 6BDC4S8Bh, 24E91CC0h, 46Sh, S6FC5D89h, 4667AE9h, OE9S0O 
dd 44E7Ah, OE44SB900h, 44CB7E9h, OC6852B00h, 70890374b 
dd BFC4083E4h. BBIEEBffh. 8BEC4SD, OOEE830fFh, OC30000B0h 
dd 83E86S8Bh, 33FffC40h, eBE47FFh, 338000000, SA81E9DBh 
dd 7S2B0004h. BE9B86A3Ah, 4627Bh. S062E92Bh. 742800040 
dd BE4S039630, 7D896B740. 33E9S6FCh. OE90B04S9h, 4SF370 
dd BE44S892B0, 4S179E9h, BC68S2B0Oh. 708903740, 0fC4D83E40 
dd 3929EBffh. 0C974E4S00. 0FfDC4Sff0, SCE9EB4S0, 8B00046S0 
dd 8BEC4S0, 6EE83BFFh, OC30OOO0OO, 83E86S8B0, 33FffC4D0 
dd 0OB3347fFO, 4S696E9h. 87S2BB0ti, 0ASE9B86A0, 2B0004660 
dd 74E49D390, S470E9O8O, 752B0BO4O, S36BE93C0, 8B2BOO04O 
dd BOC708BD80, 1874Ff8S0, 0CB6BC78BO, S933E91C0, S62B00B40 
dd 4SC44E90, 0EE832BOOh, 0F37S4F1Ch, 4S30EE90, SfAAE9O0O 
dd 0E9S3OOO4h, 4SB4E0, 0EBF2EB2Bh, OE9C78B02O, 4S0740 
dd 0EC8BSSC30, 170870810, 74COOOOOO, OEBC033O4O 
db 0AO, 830, 2S0 
dd offset dword 446120 

dd 0ffC883OOh, 4C2S0h, 909090900, OfffFFFFfh 
dd offset dword_4B7fE5>11F0 
dd offset dword 407fE5*12Ch 
dd BfffffffFh 


String;! window 


SC 


Addrm 

- leot^OO. 

■ lextOO. 

■ leXtOO 

■ leXtOO 

- teXtOO 
’ ‘ text 00. 

* ifXtOO 

-text 00 
■ • leXtOO 
• teXtOO 

- data 00 


00000019 

OOOOOOCf 


0000001B 


00000011 

00000017 


Name 

D ndoc 

D _CM«FlXTWH«Xfe( 

D .tMCticfnp 
D wetepy 
D StgCieaieOodie 
D StgOpenStorege 
D PtopV«ier<Qe« 

D llOfrofflSttng 
D Sy»Stmp8><ei.er) 

D SytSlmpLen 
D SyXVIocStnngByteLen 
D SysFiMStmg 
D SyiAlocStiing 
«tart 


Sirng 

CiNteTodhe1p32Srup«hot 

Modie32Ft«t 

Modie32NeXt 

IntotiockedContpafeE Nchangs 
kemel32di 
aSIO\Vt«We(iK>n 
DeiaPelh 

SoftvwreV'HHBHHB 

lnatefczeCrtealSec4orV^ndSpriCour< 

E)olPitoce» 


Sd)® 


text; 

text; 

text; 

text; 

text; 

text; 

text; 

text; 

text; 


00407FCO: 

00407FEO: 

00407FEO: 

00407FCO; 

00407FEO: 

00407FEO: 

00407FCO: 

00407FEO: 

00407FeO: 


Cen’t 

Can’t 

can’t 

Can’t 

Can’t 

can’t 

Can’t 

Can’t 

can’t 


find name 
find name 
find name 
find name 
find name 
find name 
find name 
find name 
find name 


I hint; 
I 'hint: 
I hint: 
(’hint; 
('hint: 
(hint: 
(hint; 
( hint; 
hint; 


use manual arg' 
use manual arg 
use manual arg 
use manual arg 
use manual arg 
use manual arg 
use manual arg 
use manual arg 
use manual arr 


Doivn Dtsk: 116GB 000073EO 00407FE0: .text:st«t 


Notice: 

Ida is unable to 
disassemble 
Cross references 
unknown 

Encrypted, 
damaged, or 
missing strings 

Forced manual 
analysis 
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Specify guards that should be injectediiooonoiAiooo a^an 
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Protecting th«\ App Econonty* 


▼ SimpleSimon 

.guard itproject 
0 .project 
► ^ .settings 
[^gjPassCheck.cpp 
[^gjSimpleSimon.cpp 
▼Jp SimpleSimon.gsmI 
►# Config 

▼ ►.X Image: Simp le_Simon 

► ^ Guard (authentication): AuthenticatePassCheck 

► ^ Guard (obfuscation): CheckingCheckPassReturn 

► ^ Guard (encryption_wrapper): Encryption 

▼ ►.xj Image: PassCheck 

^[] Range: PasswordFunctions 

Guard (obfuscation): ObfuscatePasswordFunctions 
Patch: PatchDisplayPass 

► ^ Guard (encryption_wrapper): Encryption 

► ^ Guard (checksum): ChecksumPassFunctions 

► ^ Guard (checksum): ChecksumPassCheckVersion 
[^gjSimple_Simon 

2l guardit_project_config.xml 
libPassCheck.dylib 


101010lfll1010 

Invoke En gine to P rocess the Bina^o?&° 

i1 00011 0lfil0C0 
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Protecting th«\ App Economy' 


e o o 

Jrs- I® E 


CuardIT - SimpleSimon/SimpleSimon.gsmI - GuardIT for Mac OS X - /Users/rennieallen/Documents/eclipse_demo 


^ [BCuardrr] 


I CuardIT Projects £2 
’’ ic? nortie 
▼ SimpleSimon 

dl .guarditproject 
g| .project 
► ^ .settings 
[^gjPassCheck.cpp 
[^gjSimpleSimon.cpp 
SimpleSimon.gsml 
►# Config 

▼ ► .X Image: Simple_Simon 

► li" Guard (authentication); AuthenticatePassChecI 

Guard (obfuscation): CheckingCheckPassRetur 

► (jt Guard (encryption_wrapper); Encryption 

▼ ►.X Image: PassCheck 

»[] Range: PasswordFunctions 

Guard (obfuscation): ObfuscatePasswordFunct 
ga Patch; PatchDisplayPass 

► \j[ Guard (encryption_wrapper); Encryption 

Guard (checksum): ChecksumPassFunctions 

► ffr Guard (checksum): ChecksumPassCheckVersic 
H|igSimple_Simon 

[?] guardit_project_config.xml 
libPassCheck.dylib 

► TestDamageSecureData 

► TestDeriveAes 


G ^ardU Markers ^ ° 

►l^SimpleSimon 


Hi Welcome [ SimpleSimon.gsml S2 


Problems B 


ZZ4G 

2250 

2260 
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<protected_ronge> 

<include> 

<rcmge> 

<image_name>PassCheck</iniage_nanie> 

<code>PossCheckVersion</code> 

</ronge> 

</include> 

</protected_ronge> 

<invocotion> 

<locationSet> 

<include> 

<location> 

<image_name>PassCheck</image_name> 

<lobel>GetPass</label> 

</locdtion> 

</include> 

</locotionSet> 

</invocation> 

<algorithm> 

<use>fost</use> 

</algorithm> 


Console Propertiesy~ 


Guard FT 


I 




□ 


ZlbPassCheckVersionPc 

'pQssCheck. ChecksumPassFunctions' successfully installed. 

Lookup of substring 'GetPass' returns: 

Z7GetPassPc 

'PassCheck. ChecksumPassCheckVersion' successfully installed. 

Obfuscating 'PassCheck. all_guards' (level 2)... Ok. 

690 instructions resulted in 1318 instructions. 

' PassCheck. _obfuscate_all_guards' successfully installed. 

'Simple_Simon. Encryption' successfully installed. 

'PassCheck. Encryption' successfully installed. 

Finalizing program changes Lookup of substring 'PassCheckVersion' returns: 

FDE for: Z16PassCheckVersionPc 

Z16PassCheckVersionPc 

...Lookup of substring 'PassCheckVersion' returns: 

FDE for: Z16PassCheckVersionPc 

Z16PassCheckVersionPc 

Applying Encryption Wrapper Guard to image ' Simple_Simon' . . . 

Applying Encryption Wrapper Guard to image 'PassCheck'... 

Transformed image 'Simple_Simon' written to file '/Users/rennieallen/Documents/eclipse_demo/SimpleSimon/Protected/Simple_Simon' (27519 bytes, or 18556 of the original image size). 
Transformed image 'PassCheck' written to file '/Users/rennieallen/Documents/eclipse_demo/SimpleSimon/Protected/libPassCheck.dylib' (22140 bytes, or 22656 of the original image size). 
Protection completed successfully. 


In^ 


Test the Protection 



Without tampering 


With tampering 


greenheart: Protected rennieallen$ PATH=$PVrt):$PATH ./Simple_Siinon 
Entering EW guard instance 
Guard Encryption: invoked. 

Integrity algorithm: fast 
integ rity/integ rityvalue : 

BbSllOe? /Bb5110e7 
Guard Encryption ran. 

Guard Encryption exited. 

Guard AuthenticatePassCheck: invoked. 

Guard AuthenticatePassCheck: ran. 

Guard AuthenticatePassCheck: exited. 

Simple Simon 2.0 

Enter Password: secret 
Result is 1 

(16231) Simple Simon met a pieman going to the fair; 

(16231) Said Simple Simon to the pie man, let me taste your ware. 

(16231) Said the pie man to Simple Simon, show me first your penny. 

(16231) Said Simple Simon to the pie man. Sir, I have not any! 

The results of the functions is: 20 

begin: 3695 
end: 2656B 

greenheart: Protected rennieallen$ 


greenheart:Protected rennieallen$ PATH=$PWO:$PATH ./Simple_Simon 
Entering EW guard instance 
Guard Encryption: invoked. 

Integrity algorithm: fast 
integ rity/integ rityvalue: 

2a96dl23 /2a9Bdl23 F>pHI 

Guard Encryption ran. rllcU. 

Guard Encryption exited. 

Guard AuthenticatePassCheck: invoked. 

Guard AuthenticatePassCheck: ran. 

Guard AuthenticatePassCheck: fired. 

Guard AuthenticatePassCheck: exited. 

Simple Simon 2.0 

Enter Password: secret 
Result is 1 

(16231) Simple Simon met a pieman going to the fair; 

(16231) Said Simple Simon to the pie man, let me taste your ware. 

(16231) Said the pie man to Simple Simon, show me first your penny. 

(16231) Said Simple Simon to the pie man. Sir, I have not any! 

The results of the functions is: 20 

begin: 3646 
end: 25305 

greenheart: Protected rennieallen$ 





Aimbots: GuardIT™ Specific Remediation a^Xan 


Protecting th«\ App Economy' 


• Color/Object Tracking 

- Encrypt all character assets 

• Prevents augmentation for color tracking (i.e. changing asset colors to make 
characters easily identifiable) 


• Client Hook 

- Checksunn functions that are used for weapon aiming or character 
movement 

- Repair functions that are tampered 

• Graphics Driver 

- Where the graphics driver DLL (e.g. DirectX) is the attack vector, utilize 
the hook detection guard (will fire if any standard DLL entry points are 
hooked) 

- Repair functions that are tampered 


Radars/ESP: GuardIT™ Specific Remediation arVan 

Protecting th«\ App Economy' 

• Generally not detectable if implemented by pure memory 
scanning 

• Prevention is generally the only viable option 

- Use Data Obfuscation Guards to scramble character position data 


Texture Hacks: GuardIT™ Specific Remediation arxAn 



• Detection of manipulation of texture data on disk can be 
performed using checksums of asset data 

- Use Data Obfuscation Guard and Checksum Guards to protect the asset 
checksum (in the game memory) from tampering 

• Detection of manipulation of texture data in runtime memory can 
be manually coded 

- Calculate in-memory checksum of texture data at load time and store 
this value using Data Obfuscation Guard to protect the checksum value 
from discovery 

• Preventable by using white-box crypto to maintain all assets in 
encrypted form at runtime 

- By linking environmental checks (e.g. debugger detection) to encrypted 
routines that damage internal white-box data, texture assets will only be 
properly constructed in memory if the game client is not being observed 
or tampered 


Coll. Detector Hack: GuardIT™ Specific Remediation ahXAn 



• Detection easily accomplished with GuardIT™ Checksum 
Guards 

- Typically the coll, detector routines are relatively compact so 
checksum is fast 

• Preventable by utilizing repair guards to repair the tampered 
code 

- Since the detector routines are relatively compact, the performance 
impact of prevention is moderate and is only paid by the hackers 


Network Packet Hack: GuardIT™ Specific RemediationA^VAivi 



• Detection easily accomplished using GuardIT™ Checksum 
Guards 

- Checksum all network packet encryption functions 

- No need to checksum the downstream functions as the data is 
already encrypted 

• Preventable with use of GuardIT™ Repair Guards and 
TransformIT™ white-box cryptography 

- Repair guards will restore tampered packet encryption functions 

- White-box crypto will prevent attackers lifting the keys (which would 
otherwise enable downstream attacks) 
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